We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,108 News Articles

Yahoo Mail security hole plugged

Fix deployed worldwide

Yahoo has fixed a security vulnerability in its Yahoo Mail service that could have allowed malicious hackers to hijack accounts and harm users in a variety of ways.

"We have developed a fix for this bug and have deployed it worldwide. Yahoo Mail users will not be required to take any action to be protected from this exploit," said Kelley Podboy, a Yahoo spokeswoman, via email.

Nir Goldshlager and Roni Bachar from Avnet, a computer security company based in Israel, discovered the vulnerability in early August.

The problem lay in Yahoo Mail's handling of attachments. By creating an HTML (hypertext markup language) attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code, Bachar said via email.

The exploit allowed the JavaScript code to be executed as soon as a recipient opened the email message, even if they didn't open the attachment.

It was also possible to steal the recipient's Yahoo Mail cookie, hijack the session and gain access to the person's inbox. "This attack vector could be used to launch a variety of other more sophisticated attacks," Bachar wrote. These could include unleashing worms, installing keylogger programs, phishing and scanning ports on the PC.

After identifying the vulnerability, Bachar and Goldshlager immediately alerted Yahoo, so that the vendor could patch its system. Bachar isn't aware of any known exploits of the vulnerability.


IDG UK Sites

Windows 9 release date, price, features: Microsoft teases new OS ahead of 30 September unveiling

IDG UK Sites

From the iPhone 6 to the iWatch and a new Apple TV we look at the products Apple is set to launch...

IDG UK Sites

September 2014 creative trends: 5 things you must see

IDG UK Sites

What to expect from Apple in autumn/winter 2014: iPhone 6, iPhone Air, iWatch, iPad 6, new Apple...